Lesson 9 · Security, telemetry & operations
mTLS & identity
Istio's zero-trust story — encryption and identity with no app code — and why this repo turns it off.
Your win: explain how Istio does mutual TLS and workload identity (PeerAuthentication, SPIFFE, istiod as CA) — the cert-exam material — and articulate why this repo deliberately leaves it off, and what it does instead.
How Istio does mTLS (the concept)
The headline feature of a service mesh's security story is mutual TLS between sidecars, with no application changes. When it's on, every service-to-service call is encrypted and both ends prove their identity.1 Three pieces make it work:
- istiod is the Certificate Authority. It issues each workload a short-lived certificate; the sidecars rotate them automatically.
- Identity is SPIFFE. The cert encodes
spiffe://<trust-domain>/ns/<namespace>/sa/<service-account>— built from the Pod's Kubernetes ServiceAccount (Course 2 L12). So a workload's identity is its ServiceAccount, cryptographically. - PeerAuthentication sets the mode.
STRICT(require mTLS),PERMISSIVE(accept mTLS or plaintext — the migration mode), orDISABLE. It can be mesh-wide, per-namespace, or per-workload.2
What this repo actually does — and doesn't
enableAutoMtls: false(deployments/helm/platforms/istio/istiod-values.yaml:13) — in base/stag/prod (only local sets it true).- No
PeerAuthenticationexists anywhere in the repo — so there's no STRICT/PERMISSIVE policy; in-cluster traffic is effectively plaintext. outboundTrafficPolicy.mode: ALLOW_ANY(:11-12) — egress to unknown hosts is allowed too.
Istio docs — Security (concept) + PeerAuthentication
Identity/SPIFFE, how mTLS works between sidecars, and the STRICT/PERMISSIVE modes.
Check yourself (from memory)
Q1. In Istio, a workload's identity is derived from its…
…/ns/<ns>/sa/<sa> — identity = ServiceAccount.
Q2. The policy that sets mTLS to STRICT/PERMISSIVE is…
Q3. In this repo, in-mesh mTLS is…
enableAutoMtls: false and no PeerAuthentication —
routing + edge TLS + telemetry mesh, not zero-trust.
spiffe://td/ns/<ns>/sa/<sa> from the Pod's
ServiceAccount; (3) PEERAUTHENTICATION sets mode — STRICT / PERMISSIVE (migration) / DISABLE,
mesh/ns/workload scoped. mTLS proves WHO (auth); AuthorizationPolicy decides ALLOWED (Lesson
10). REPO (opposite of default): enableAutoMtls: false
(istiod-values.yaml:13), NO PeerAuthentication, outboundTrafficPolicy:
ALLOW_ANY → NOT zero-trust; boundary is the EDGE (ingress TLS), in-cluster plaintext.
Trade-off: saves CPU/complexity but a compromised Pod can reach any other. Identities (SAs)
already exist, so STRICT is a future upgrade, not a rebuild.1. Istio — Security.